* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/)
* When Global Conflict Reac...

# When Global Conflict Reaches the SOC: Respond at Scale with XSIAM

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fwhen-global-conflict-reaches-the-soc-respond-at-scale-with-xsiam%2F)  
[](https://twitter.com/share?text=When+Global+Conflict+Reaches+the+SOC%3A+Respond+at+Scale+with+XSIAM&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fwhen-global-conflict-reaches-the-soc-respond-at-scale-with-xsiam%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fwhen-global-conflict-reaches-the-soc-respond-at-scale-with-xsiam%2F&title=When+Global+Conflict+Reaches+the+SOC%3A+Respond+at+Scale+with+XSIAM&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/when-global-conflict-reaches-the-soc-respond-at-scale-with-xsiam/&ts=markdown)  
\[\](mailto:?subject=When Global Conflict Reaches the SOC: Respond at Scale with XSIAM)  
Link copied  
By [Brendan Powers](https://www.paloaltonetworks.com/blog/author/brendan-powers/?ts=markdown "Posts by Brendan Powers")  
Apr 01, 2026  
5 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/attack-surface-management/?ts=markdown)  
[Cortex XSIAM](https://www.paloaltonetworks.com/blog/tag/cortex-xsiam/?ts=markdown)  
[Iranian cyberattacks](https://www.paloaltonetworks.com/blog/tag/iranian-cyberattacks/?ts=markdown)  
[lookback hunting](https://www.paloaltonetworks.com/blog/tag/lookback-hunting/?ts=markdown)  
[Operation Epic Fury](https://www.paloaltonetworks.com/blog/tag/operation-epic-fury/?ts=markdown)  
[out of band verification](https://www.paloaltonetworks.com/blog/tag/out-of-band-verification/?ts=markdown)  
[Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown)  
[SOC Operations](https://www.paloaltonetworks.com/blog/tag/soc-operations/?ts=markdown)  
[Social Engineering](https://www.paloaltonetworks.com/blog/tag/social-engineering/?ts=markdown)  
[Threat intelligence management](https://www.paloaltonetworks.com/blog/tag/threat-intelligence-management/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

On February 28, the United States launched Operation Epic Fury. In the hours that followed, cyber risk related to Iran rose quickly, with coordinated activity emerging across regions from hacktivists and proxy groups. Moments like these require teams to strengthen their defenses and respond in real time.

In a surge, the hardest part is not seeing signals. It is deciding which ones to trust and acting before attackers turn minutes into impact.

Unit 42 is clear about what matters right now: implement strict out-of-band verification, increase response to threat signals around internet facing infrastructure, patch and harden fast, and train employees on phishing and social engineering. This post focuses on the part after the guidance. How you operationalize it inside the SOC.

Two Cortex XSIAM modules map directly to this moment:

* Attack Surface Management helps you find what is exposed and close exposure windows fast.
* Threat Intelligence Management helps you treat indicators like a pipeline, not a spreadsheet, so verification becomes repeatable and auditable.

## **Escalation of Cyber Risk Related to Iran Readiness Checklist**

1. Use attack surface management to inventory internet facing assets and exposed services.
2. Prioritize and close the highest risk exposure windows through patching or mitigation.
3. Use threat intelligence management to ingest campaign indicators, enrich them, and merge duplicates.
4. Turn out-of-band verification into a case workflow with clear approvals and auditability.
5. Run a 30 day lookback to find missed indicators and suspicious activity, then remediate with context.

## **Shrink Exposure Windows with Attack Surface Management**

During crisis conditions, attackers start with what they can reach. Internet facing assets, remote access services, and misconfigurations do not wait for your quarterly scan.

Attack surface management gives you continuous outside in visibility into public facing assets, including unknown and unmanaged infrastructure. That matters because most surge risk hides in the seams: the host you forgot, the service that came back online, the cloud edge that no one owns.

What you should do in the first 48 hours is simple:

* Inventory what is internet facing.
* Prioritize the assets that matter most to the campaign.
* Patch where you can, mitigate where you cannot, and verify closure.

You are not trying to perfect the environment. You are trying to close the paths attackers can walk today.
![Fig. 1: The Cortex Attack Surface Management dashboard provides practitioners with clear insight into external facing threats.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/word-image-355405-1.png)
Fig. 1: The Cortex Attack Surface Management dashboard provides practitioners with clear insight into external facing threats.

## **Patch and Harden Fast, with a Second Path for Mitigation**

Patch faster is correct advice, but it is not sufficient advice.

In practice, you need two fast ways to respond: patch when a fix is available and safe, or mitigate when patching can't happen immediately.

Attack surface management supports both by focusing on exposure windows, not vulnerability volume. It prioritizes the exposures that create real, actionable paths right now.

In practice, it usually looks like this:

* Confirm the exposed service and where it lives.
* Decide patch versus mitigate.
* Apply the change.
* Confirm the asset is no longer exposed, and keep monitoring for regression.

## **Make Out of Band Verification a Workflow with Threat Intelligence Management**

Attackers weaponize trust during surges. The most dangerous actions often start with an urgent request: approve access, reset credentials, click the link, share the file, send the money.

Out-of-band verification works best when it's built into the workflow.. Threat Intelligence Management makes verification easier by automating how indicators are handled. You can ingest indicator sources from feeds and lists, extract indicators from alerts, and enrich and score indicators so analysts get context quickly. You can also manage how indicators are merged when the same indicator shows up from multiple sources, so your team is not debating duplicates instead of making decisions.

That turns verification into a repeatable sequence:

* Is this domain, IP, or hash already known?
* What is the verdict and why?
* Where has it appeared in our environment?
* What action should fire: block, allow list, monitor, or investigate?

Tier 1 analysts aren't left to improvise anymore. Instead, you are giving them a structured process.

## **The Missing Step: a 30-day Lookback**

Here is the angle most teams skip, and it is the one that pays back the fastest.

Do a 30-day lookback.

In fast moving situations, early signals get logged without context, or dismissed as noise. The lookback is how you catch what you missed when the campaign was still forming.

Run a time boxed retrospective:

* Take the newest indicators from Unit 42 and your internal reporting.
* Search for them across your recent telemetry.
* Correlate matches with exposure context, especially internet facing assets.
* Hunt for quiet precursors, odd logins, unusual SaaS access, strange VPN behavior, and new outbound connections.

You are looking for patterns that were invisible in real time, but obvious in hindsight.

## **Conclusion**

Global conflicts such as Operation Epic Fury do not require a new security philosophy. They require a faster one.

Use attack surface management to shrink exposure windows. Use threat intelligence management to verify signals and act consistently. Then do the lookback so you are not defending the last 24 hours while the attacker is already working on the next 24.

**Next step: read the [Unit 42 Epic Fury brief](https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/), then book a [Cortex XSIAM demo](https://www.paloaltonetworks.com/cortex/request-demo?utm_source=google-jg-amer-cortex-socf-siem&utm_medium=paid_search&utm_campaign=google-cortex-xsiam-amer-multi-lead_gen-en-brand&utm_content=7014u000001eFwiAAE&utm_term=palo%20alto%20cortex&cq_plac=&cq_net=g&gad_source=1&gad_campaignid=21711491258&gbraid=0AAAAADHVeKnD9uQb5qsY-YqJmYHX38lol&gclid=EAIaIQobChMIxO-Lk-edkwMVlxmtBh2dki5DEAAYASAAEgIpgfD_BwE&ts=markdown) to run this checklist against your environment.**

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Beyond the Cloud Dashboard: Exposure Management Requires Full-Scope Visibility and Real Action](https://www.paloaltonetworks.com/blog/security-operations/beyond-the-cloud-dashboard-exposure-management-requires-full-scope-visibility-and-real-action/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://www.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/)

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Enhancing Critical Risk Detection with Cortex Xpanse Attack Surface Rules](https://www.paloaltonetworks.com/blog/security-operations/enhancing-critical-risk-detection-with-cortex-xpanse-attack-surface-rules/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Xpanse Covers Top Vulnerabilities Warned of by CISA](https://www.paloaltonetworks.com/blog/security-operations/xpanse-covers-top-vulnerabilities-warned-of-by-cisa/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### MOVEit or Lose it: Securing assets from critical MOVEit flaw with Xpanse ASM](https://www.paloaltonetworks.com/blog/security-operations/moveit-or-lose-it-securing-assets-from-critical-moveit-flaw-with-xpanse-asm/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language